It's an observation a lot of IT security practitioners are making of late: That companies are so obsessed about compliance and getting through a list of checkboxes that security technology is being haphazardly implemented -- in ways that actually increase a company's risk.
At the recent ShmooCon security conference in Washington D.C., CSO Senior Editor Bill Brenner asked Ontario-based CISO and security consultant James Arlen for examples of the problem. Here is what he has seen, and what -- if anything -- we can do about it.
There are a lot of tech-heavy talks going on at ShmooCon this year. As a CISO, what are your biggest technological concerns?
James Arlen: We need to be focusing more on the quality of security technology implementation. It's no longer enough just to buy the thing; to have that technological doo-dad. When you get through all your PCI security checkmarks and get through your SAS70 requirements that's great, but are you really getting the value that you're supposed to be getting?
And you don't see that happening?
Arlen: In a lot of cases there really is no way to get that value because of the implementation. You buy it, you turn it on, the red light is blinking and it's making the peeping sound. But it's not doing anything for you. You're not getting any risk reduction. You're not increasing your situational awareness. We need to find a way to get better at that stuff faster.
Given an example of where, in your business travels, you see this sort of problem unfolding.
Arlen: In my long, sordid history as a security consultant I see it all the time. You'd see these firewalls implemented with hugely long rule sets and all kinds of effort put into them. But then you go down to the bottom of those rule sets and discover that somebody slipped in an "any-any" rule because it would make testing easier or allow them to get something into production faster. So it's an example of taking all this hard work you've done and undoing it in the name of expediency.
The flip side of that is that, in being a security operational person, you go out and get the tool, and you train one or more people to use it, and because the security industry is as fast paced as it is -- fast paced being another way of saying "high turnover," -- you end up in a situation where three to six months down the line you're in a position where you don't have that practitioner excellence and you have a tool that has essentially been shelved because there's no one who knows how to pick it up and use it.
Is that something that can be remedied by getting training for a wider group of people in the IT shop?
Arlen: The cost of training, when you're not in implementation phase, isn't something that you can throw into the capital budget. It has to come from your daily operational budget and you don't have the money for it. You can't afford to send someone to San Jose for training for two weeks to get really good at it, and you're back at that point where you're hoping you can hire a capability when you really want to hire a person who has a capability. So you end up back into this hire-and-fire mindset that does absolutely nothing for the organizational security. You end up with this awesome hammer and this huge number of nails that need to be whacked, and nobody's really sure which end to hit the nail with.
That sentiment came out in a survey CSOonline recently did with the U.S. Secret Service, Carnegie Mellon University CERT and Deloitte & Touche. Companies told us they've spent millions to bolster their IT security in recent years. But some are starting to wonder if it's been worth it.
Arlen: It goes back to this idea I've been trying to get people to understand for years now: the idea that you don't need to be compliant, you need to be meta-compliant. You don't want to be compliant with specific regimes. You want to be compliant with a super set of all those regimes. The only way to get there is to essentially have an enlightened desire to do the right thing.
When it comes right down to it, the security spend is tied more tightly to quarterly results and shareholder value than almost anything else because, at the end of the day, security spend is just another kind of insurance spend.